Security experts have painted an alarming picture of the state of security for industrial control systems
Researchers presented some alarming findings about the state of security for supervisory control and data acquisition systems at the Kaspersky Security Analyst Summit on 3 February. SCADA systems are used across varied industries such as oil, water systems, electric grids, controlling building systems, and the basic security model underlying these systems is completely inadequate, they said.
Two researchers decided to try to find 100 bugs in 100 days in industrial control system software, Terry McCorkle, an industry researcher, told attendees at the conference. As they began their research, it quickly became evident the team had underestimated the severity of the problem.
“Ultimately, what we found is the state of ICS security is kind of laughable,” McCorkle said.
The bugs were “straight out of the ’90s”, and for the most part, were “blatantly obvious” flaws, according to McCorkle. McCorkle and his partner in the project, Billy Rios, used fuzzing techniques and found over 1,000 bugs in ICS software. McCorkle said a lot of the people he spoke with in the industry had never thought to try fuzzing to look for vulnerabilities in ICS software.
File format issues were the most prevalent, followed by ActiveX, according to McCorkle. They found several SQL vulnerabilities but no SQL injection flaws, and lots of buffer overflow issues.
There were examples of how ICS software were executing VBScript to open command shells and other applications, as well as websites having direct access to the Windows registry. They reported 1,035 bugs that cause systems to crash and 95 that were easily exploitable to vendors, McCorkle said.
The exploitable bugs included issues that could be exploited by cross-site scripting. The 1,035 bugs would have required someone to spend some time to find a way to exploit the vulnerability, but McCorkle was confident some could be exploited.
Although McCorkle and his team had reported those vulnerabilities to the vendors, the problem remained as to how the systems would get patched. If the vendor decided to patch the issue, which is not always a given, there was still the question of how to notify administrators and how to actually distribute and install the patches, McCorkle said.
Many of the systems that are now Internet accessible were not originally designed to be connected, and some have embedded web services and mobile interfaces that make it even easier to connect remotely. Many SCADA systems are available online with weak passwords such as ‘100’, according to McCorkle.
When programmable logic controllers were developed, security was not a priority, Tiffany Rad, a computer science professor at the University of Southern Maine, John Strauchs, an engineer, and penetration tester Teague Newman, concurred in their presentation on SCADA vulnerabilities in correctional facilities.
“Security through obscurity no longer works with SCADA,” Rad said.
Rad and her team were able to find control systems that were connected to the Internet that administrators hadn’t even known about. “The belief that PLCs are not vulnerable because they’re not connected to the Internet is not true,” Strauchs said.
McCorkle cited the work of a different researcher who was able to locate and map more than 10,000 industrial control systems hooked up to the public Internet, including water and sewage plants.
While some may have been test systems, some of them were actually in production. Only 17 percent of the systems found asked remote users for authorisation to connect, according to that research.
“People are gonna get owned; it’s going to hurt,” McCorkle said.
Security researchers have been criticising how SCADA vendors handle patching for a long time. At a recent S4 Conference in Miami, a team of six security researchers assessed the security of six programmable logic controllers widely used in the industry.
One of the tested systems, the D20 ME PLC from General Electric, lacked security controls, had multiple remotely exploitable vulnerabilities, and had several “back door” administrative accounts, the researchers said at S4. Despite the security issues, statements from GE suggested that fixes are unlikely because of the age of the hardware being used in the device, researchers said.
That same team partnered with Rapid7 and Tenable Network Security to release testing modules for Metasploit and Nessus vulnerability scanning suites that organisations can use to find the disclosed vulnerabilities within their environments.
While the module for GE D20 PLC from General Electric is available, other modules targeting Rockwell Automation, Schneider Motion and Koyo/Direct LOGIC controllers are expected soon.